fix: allow AF_UNIX sockets for nix daemon communication

The flake collector needs Unix domain sockets to communicate with the nix daemon. The RestrictAddressFamilies hardening was blocking this. Also trim trailing newlines from stderr in error messages. Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>
2026-02-06 23:33:15 +01:00
parent 95bf85dce4
commit d4b9577070
2 changed files with 4 additions and 2 deletions
--- a/module.nix
+++ b/module.nix
@@ -114,7 +114,9 @@ in
        ProtectKernelTunables = true;
        ProtectKernelModules = true;
        ProtectControlGroups = true;
-        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ];
+        # AF_UNIX required for nix daemon communication when flake collector enabled
+        RestrictAddressFamilies = [ "AF_INET" "AF_INET6" ]
+          ++ lib.optionals cfg.flake.enable [ "AF_UNIX" ];
        RestrictNamespaces = true;
        RestrictRealtime = true;
        RestrictSUIDSGID = true;